If you have read about any security network topics, you would be familiar with dynamic arp inspection method. Dynamic Arp Inspection prevents man in the middle attack against to arp poisioning.Remember, if an attacker wants to collect of traffic which is destined to spesific IP, he can do it by using Gratuitous Arp. It tries to send arp-reply to victim with “other IP but attacker’s own mac address”.If it is successful, the victim will start to forward the traffic towards mac address of attacker. Arista provides new method, that is IP Locking feature.
Requirements
This method is using relay mechanism. The switch will query lease table of dhcp server. So RFC4388 must be enabled on DHCP server. It is simply “allow leasequery” on centos/windows dhcp server config file. Hence, switch will communicate with DCHP server through given source IP.
Benefits
- A port will permit IP and Arp packets with IP Source addresses that have been authorized.
- It prevents another host on a different interface from claiming ownership of an IP address through Arp spoofing.
- IP Locking prevents hosts from masquerading as a DHCP server by blocking DHCP packets.
- ARP Probes with 0.0.0.0 will be allowed for duplicate address detection.
There is enforcement disables option to allow all arp packets but prevents rogue dhcp packets in network.
Configuration Steps
address locking
local-interface Management1
dhcp server ipv4 172.22.111.2
interface Ethernet1
address locking ipv4Outputs
Arista#show address locking table ipv4
IP Address MAC Address Source Interface Installed Expiration Time
------------------- -------------------- ------------ --------------- --------------- ---------------
172.22.111.12 b445.06b1.6f3d server Et1 installed in 0:03:36
Total IP Address for this criterion: 1Arista#show address locking table ipv4
IP Address MAC Address Source Interface Installed Expiration Time
------------------- -------------------- ------------ --------------- --------------- ---------------
172.22.111.12 b445.06b1.6f3d server Et1 installed in 0:02:37
Total IP Address for this criterion: 1
Arista#show address locking counters
Lease Active Lease Unknown Lease Unassigned
DHCP Server Query Rcvd Drop Rcvd Drop Rcvd Drop Unknown
------------ ----- ----- ------ ------ ------ ------- -------- -------
172.22.111.2 114 3 0 0 0 0 0 0
Interface Query Lease Active Lease Unknown Lease Unassigned
--------- ----- ------------ ------------- ----------------
Ethernet1 114 3 0 0
HI,
first thank you for this, this is really informative – IP Locking Security Feature in Arista
I have just one question about the “It is simply “allow leasequery” on centos/windows dhcp server config file. ”
how can I enable it on a windows DHCP server? I didnt find anything about it on the server or on google.
can you please help?
thanks in advance.
Hi Lidor,
For window server, there is small service to be added. If customer accepts it, we are adding to their system. It is working.
If you need contact me please.
Hi, can you show us how to add the allow leasequery in the windows server? that run a dhcp server?
hi Yafim,
you can reference below link. It is done on dhcp connfig as below
https://kb.isc.org/docs/isc-dhcp-41-manual-pages-dhcpdconf